Results 1 to 3 of 3

Thread: log

  1. #1
    Junior Member
    Join Date
    May 2007
    Posts
    1

    Default log

    Thx to SDFix i can delete smitfraud core thx

    SDFix: Version 1.85

    Run by THUYET - Tue 05/29/2007 - 17:15:07.73

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\DOCUME~1\THUYET\Desktop\SDFix\SDFix

    Safe Mode:
    Checking Services:

    Name:
    core

    ImagePath:
    system32\drivers\core.sys

    core - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\DOCUME~1\THUYET\LOCALS~1\Temp\uninstall.exe - Deleted
    C:\WINDOWS\retadpu1000137.exe - Deleted
    C:\WINDOWS\retadpu1000140.exe - Deleted
    C:\WINDOWS\system32\cmd.com - Deleted
    C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
    C:\WINDOWS\system32\drivers\core.sys - Deleted
    C:\WINDOWS\system32\netstat.com - Deleted
    C:\WINDOWS\system32\ping.com - Deleted
    C:\WINDOWS\system32\taskkill.com - Deleted
    C:\WINDOWS\system32\tasklist.com - Deleted
    C:\WINDOWS\system32\tracert.com - Deleted
    C:\WINDOWS\wr.txt - Deleted


    Folder C:\Program Files\Ipwindows - Removed

    Removing Temp Files...

    ADS Check:

    Checking if ADS is attached to system32 Folder
    C:\WINDOWS\system32
    No streams found.

    Checking if ADS is attached to svchost.exe
    C:\WINDOWS\system32\svchost.exe
    No streams found.



    Final Check:

    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    Remaining Files:
    ---------------

    Backups Folder: - C:\DOCUME~1\THUYET\Desktop\SDFix\SDFix\backups\backups.zip

    Checking For Files with Hidden Attributes:

    C:\Documents and Settings\THUYET\Local Settings\Application Data\Microsoft\Messenger\holy_yogourt@hotmail.com\Sharing Folders\medy4@msn.com\AlbumArtSmall.jpg
    C:\Documents and Settings\THUYET\Local Settings\Application Data\Microsoft\Messenger\holy_yogourt@hotmail.com\Sharing Folders\medy4@msn.com\AlbumArt_{497BCB49-4616-4F3D-A2A7-434E043940C9}_Large.jpg
    C:\Documents and Settings\THUYET\Local Settings\Application Data\Microsoft\Messenger\holy_yogourt@hotmail.com\Sharing Folders\medy4@msn.com\AlbumArt_{497BCB49-4616-4F3D-A2A7-434E043940C9}_Small.jpg
    C:\Documents and Settings\THUYET\Local Settings\Application Data\Microsoft\Messenger\holy_yogourt@hotmail.com\Sharing Folders\medy4@msn.com\desktop.ini
    C:\Documents and Settings\THUYET\Local Settings\Application Data\Microsoft\Messenger\holy_yogourt@hotmail.com\Sharing Folders\medy4@msn.com\Folder.jpg
    C:\Documents and Settings\THUYET\Local Settings\Application Data\Microsoft\Messenger\holy_yogourt@hotmail.com\Sharing Folders\medy4@msn.com\Thumbs.db
    C:\Documents and Settings\THUYET\Desktop\cakepub2.exe

    Finished

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 12:36:58 PM, on 5/26/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\WINDOWS\System32\PV92Tray.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\Lexmark 3300 Series\lxccmon.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\WINDOWS\retadpu1000137.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Paltalk Messenger\palstart.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    C:\WINDOWS\System32\lxcccoms.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    D:\HiJackThis_v2.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000137.exe 61A847B5BBF72813329B385771FE01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E70CE7C0726B954E2C2832213319C26033AAC01F09DDF7618419154310B87659CA5E04E5067DF690232BC10E3C283231135856D1E27
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\RunOnce: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - Startup: PalNetaware.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Reboot.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.bigfishgames.com/online/d...2.1.0.0.48.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1109667052765
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcccoms.exe
    O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O24 - Desktop Component 0: (no name) - http://www.dieselstation.com/wallpap...Spyder-007.jpg

    --
    End of file - 9279 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.

    I appreciate it that you want to get the jump on things, but it is better, if you want our help that you follow the above directions. If your issues are not resolved and you still want help, please do this.

    1) See this: http://forums.spybot.info/showpost.p...80&postcount=2
    C:\Program Files\Java\jre1.5.0_03\ <<< Java is out of date, download the newest version and uninstall all old versions in Add Remove programs.
    While you are in AddRemove programs, uninstall Paltalk Messenger if it is there.

    2) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
    http://service1.symantec.com/SUPPORT...00031316555206
    "Microsoft recommends that you have only one anti-virus program installed on your computer."
    http://www.washingtonpost.com/wp-dyn...120300087.html
    http://www.smartcomputing.com/editor...8s07/38s07.asp

    C:\Program Files\McAfee\McAfee VirusScan\
    C:\Program Files\Alwil Software\Avast4\ash

    3) Please check at the top of Notepad, under the Formet tab and make sure Word Wrap is not checked.

    4) D:\HiJackThis_v2.exe <<< HJT must run from a drive, if D:\ is a drive, thant is fine, if not, move it to C:\ I would also like you to create a folder for HJT to store logs and backups in, like this: C:\HJT\HiJackThis_v2.exe

    5) How to make files and folders visible:
    Click Start > Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm. Click OK.
    You may reverse this for safety when we are finished.

    6) Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop. We will use this later.

    7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html G
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000137.exe
    (I removed that long number, check and remove the above item)
    O4 - Startup: PalNetaware.lnk = ?
    O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
    (next two are resource wasters related to Alexa toolbar, if you don't use Alexa, remove them)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm G
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    8) RIGHT Click on Start then click on Explore. Locate and delete these items:

    C:\WINDOWS\retadpu1000137.exe <<< delete that file

    C:\Program Files\Paltalk Messenger\ <<< delete that folder

    9) Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Restart the computer and post a new HJT log.

    Thanks
    Last edited by pskelley; 2007-05-31 at 00:19. Reason: remove some of a long number
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    This topic is closed due to lack of a response.

    If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

    Anyone else with similar problems please start a new topic.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •